SSH Keys - The agent has no identities.

dnkdnk
Community Member
edited March 25 in SSH

Hi there, I am attempting to setup my SSH keys during my trial period (evaluating 1password). I followed the docs, and when I test for the keys, I get the above error, and when I authenticate to a server, I am getting:

❯ ssh docker
[email protected]: Permission denied (publickey).

Any suggestions?

  • I have rebooted, restarted SSH services post config changes and restarted the 1password app as well.

Thank you very much.

System Specs

❯ cat -p /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.10
DISTRIB_CODENAME=impish
DISTRIB_DESCRIPTION="Ubuntu 21.10"
1Password for Linux 8.6.0

80600076, on PRODUCTION channel
Brave with the chrome extention (2.3.0)

System Config

Key Entry

Desktop App

SSH Config

Host *
  IdentityAgent ~/.1password/agent.sock

Processes

❯ ps aux | grep 1pass
dustin   1338775  2.4  0.2 25510072 144948 ?     Sl   09:52   0:08 /opt/1Password/1password --type=renderer --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --app-path=/opt/1Password/resources/app.asar --enable-sandbox --disable-blink-features=Auxclick --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --launch-time-ticks=34298985616 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess
dustin   2644225  0.0  0.0   8748  6148 pts/4    S+   09:58   0:00 rg 1pass
dustin   4064145  0.3  0.2 21574616 178104 ?     Sl   09:46   0:02 /opt/1Password/1password --enable-crashpad
dustin   4064219  0.0  0.0 16993684 48160 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --no-zygote-sandbox --enable-crashpad --enable-crashpad
dustin   4064224  0.0  0.0 16993684 45688 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --enable-crashpad --enable-crashpad
dustin   4064286  0.0  0.0 16993684 12360 ?      S    09:46   0:00 /opt/1Password/1password --type=zygote --enable-crashpad --enable-crashpad
dustin   4065377  0.4  0.2 17400988 132784 ?     Sl   09:46   0:03 /opt/1Password/1password --type=gpu-process --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --gpu-preferences=UAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --shared-files --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess
dustin   4065418  0.0  0.0 17059348 58260 ?      Sl   09:46   0:00 /opt/1Password/1password --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess --enable-crashpad
dustin   4066455  0.0  0.1 25506024 92712 ?      Sl   09:46   0:00 /opt/1Password/1password --type=renderer --enable-crashpad --enable-crash-reporter=e902f537-9180-4273-99fa-bdc20a5b2130,no_channel --user-data-dir=/home/dustin/.config/1Password --standard-schemes=resource,file-icon --enable-sandbox --secure-schemes --bypasscsp-schemes=resource,file-icon --cors-schemes --fetch-schemes=resource,file-icon --service-worker-schemes --streaming-schemes --app-path=/opt/1Password/resources/app.asar --enable-sandbox --disable-blink-features=Auxclick --lang=en-GB --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --launch-time-ticks=33918101183 --shared-files=v8_context_snapshot_data:100 --field-trial-handle=0,2157891041157314061,2950027978502139891,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess

Checking for Keys

❯ export SSH_AUTH_SOCK=~/.1password/agent.sock
❯ ssh-add -l
The agent has no identities.

1Password Version: Linux 8.6.0
Extension Version: version 2.3.0
OS Version: Ubuntu 21.10

Comments

  • miquellamiquella
    Community Member

    I've been running into a very similar error trying to setup the 1Password SSH Agent. Eventually I was able to sort out that mine was due to my SSH key being in my "Work" vault, not my "Private" vault.

    Differences in my environment:

    • Fedora 35
    • Chrome Browser
    • ~/.ssh/config
    Host *
        IdentityAgent ~/.1password/agent.sock
        IdentityFile ~/.ssh/id_op.pub
        IdentitiesOnly yes
    
  • dnkdnk
    Community Member

    being in my "Work" vault, not my "Private" vault.

    THIS!!!

    I had a separate vault for SSH keys. Once I moved it back, everything worked as expected!

    Thanks a TON.

  • floris_1Pfloris_1P

    Team Member

    Correct, the agent will only use keys from your Private/Personal vault. We're working on a way to remove this limitation by offering an opt-in mechanism to use keys from other vaults. When doing so, would you guys prefer an opt in per vault or per individual key?

  • Cu3PO42Cu3PO42
    Community Member

    I would also like the ability to configure the keys the agent will use either per vault or per key. In a perfect world, I'd like a per vault setting and an optional per-key override, but realistically, I believe having either option would be fine. However, I would also like the ability to disable keys from the Private vault. This can obviously be worked around by moving those keys to yet another vault, but it would be a nice touch in my opinion.

  • jc00kejc00ke
    Community Member

    Ah, this is what's been getting me! We store shared SSH keys in staging and production vaults and I was wondering why the 1Password SSH agent stopped working. Yeah, would love either per-vault (probably ideal in my case) or per-key.

  • jc00kejc00ke
    Community Member

    Honestly, it would be cool to be able to use the secret reference syntax.

  • bbeckfordbbeckford
    Community Member

    @floris_1P I'd love an opt-in per vault, but per individual key would also be useful to be honest!

  • HacksoreHacksore
    Community Member

    I'd love to have the per vault opt-in but as others have said individual key could be nice as well.

  • wavesoundwavesound
    Community Member

    Not sure what you mean by Opt-In vs Individual Key? But I am a fan of removing the limitation!

  • HacksoreHacksore
    Community Member
    edited June 21

    What I'd like for a user experience is I can opt-in a whole vault for example:

    App XYZ - UAT (All keys in this vault would be exposed to the agent)

    Or being able to pick a certain key inside a vault marked for usability example:

    App XYZ - PROD => App Server SSH (Only this key would be exposed to the agent)

    Hope that helps add more clarity to what I'm trying to convey.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file